Open Source IDS

A Quick and Dirty Guide

Darrin Wassom

Technical Architect

The Road to Ruin? Introduction What is this thing called IDS SHADOW SNORT Distributed IDS The Future Toolkit Essentials Links/Publications of Interest Questions

Introductions

Presenter– Darrin Wassom

• Technical Architect

• Information Security Compliance Team

Foundational Presentation– By no means a definitive guide!– YMMV!

What is IDS?!?!

IDS = Intrusion Detection System Two types

– Host-based IDS (HIDS)• Tripwire is a great example

– Network-based IDS (NIDS)• ISS RealSecure, Cisco (formerly called NetRanger), Symantec

and many other commercial products available but we don’t care about those….. yet.

• SHADOW

• SNORT

SHADOW – The Granddaddy!

Secondary Heuristic Analysis for Defensive Online Warfare = SHADOW

Formerly called CIDER– Cooperative Intrusion Detection Evaluation

and Response

Developed by the Naval Surface Warfare Center (NSWC) in 1994 by Stephen Northcutt

SHADOW

Open Source components include– TCPDUMP (key component!)– OpenSSH– Apache– Tripwire– PERL

Statistical means of viewing network traffic– Patterns appear over time– Looks for network anomalies

SHADOW - Screenshots

SHADOW - Screenshots

SHADOW - Caveats

SHADOW does not provide real-time analysis in the traditional sense– Its strength lies in long term packet analysis

SHADOW is not rule-based– You won’t receive event specific alerts like “Code Red

Attack”

SHADOW has been known to cause bouts of rage, insomnia and second thoughts about career choice– It’s not easy to configure!

SHADOW – Sounds Cool…. Tell me more! Can be downloaded at

– http://www.nswc.navy.mil/ISSEC/CID/ Latest release published

– April 2003• Actively maintained by NSWC

SHADOW fork– Guy Bruneau has provided an ISO image format of

Shadow on Slackware Linux (last updated 8/2003)• http://www.whitehats.ca/main/index.html• VERY cool, check it out!

SNORT – An Open Source Star Developed by Marty Roesch in 1998 Rules-based

– also called signature-based Benefits

– easy to install– HIGHLY customizable– Flexible– FAST– Can also work as a packet sniffer

• supports BPF flags!

SNORT – Modes of Operation Packet Sniffer

– snort –v• prints headers to the screen only

– snort –vd• will show application data in transit

– snort –vde• all the above and data link layer

– snort –vd tcp and port not ssh• example of using BPF flags

– snort –vd –l /var/tmp• dumps data to a directory for future analysis

– snort –vd –L /var/tmp/test.cap• writes data to a specific file in TCPDUMP format

– snort –r /var/tmp/test.cap• opens any TCPDUMP file

SNORT – Modes of Operation

Intrusion Detection Mode– The nuts and bolts!– snort –i eth0 –c /etc/snort/snort.conf

• specifies the eth0 interface and the location of the snort configuration file (snort.conf)

– Snort Configuration• snort.conf

– Allows for any range of possibilities

– Well documented and easy to follow

SNORT – Analysis of a Rulealert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT gobbles SSH

exploit attempt"; flow:to_server,established; content:"GOBBLES"; reference:bugtraq,5093; classtype:misc-attack; sid:1812; rev:2;)

Rule Header– Action required

• alert, log, pass, user-defined

– defines network protocols

– source/destination

– traffic direction

Rule Options– Always enclosed in parentheses

– Defines which attributes must be present to trigger an event

SNORT – Tips/Tricks for Rules SID – Snort ID

– 1-100 – Reserved for Marty Roesch– 101-1000000 – Reserved for Snort Development Team– > 1000000 – Can be used for locally defined rules

Rule/Signature Maintenance– SNORT regularly updates rules and can be downloaded from their

site– Oinkmaster

• Script written to help with rule management

• http://www.algonet.se/~nitzer/oinkmaster/ Creating Custom Rules

– use TCPDUMP or Ethereal to analyze packets which you wish to be alerted on…..– Check sites like Internet Storm Center (http://isc.sans.org/) for timely rule updates

SNORT – A Problem SNORT, by itself, is great for a single probe

installation– One configuration file– One set of rules– One place to look for alerts, logs, etc

Management and Analysis becomes difficult with more than one probe– multiple conf files to maintain– rules issues– which probe do you check for analysis

SNORT – Distributed Approach

SNORT – Components to Webify!

ACID - written by Roman Danyliw– Analysis Console for Intrusion Databases– http://www.andrew.cmu.edu/~rdanyliw/snort/snortacid.

html Other Requirements (ship w/ most Linux distros)

– Web Server – Apache– PHP– SQL database – MySQL– Other misc components

Sounds difficult!!– Several EXCELLENT whitepapers are available

• Step by Step guides!

SNORT – Uh, Where?

Steven Scott– Red Hat 7.3 and 9.0– VERY detailed and HIGHLY recommended– http://www.snort.org/docs/snort-rh7-mysql-ACID-1-5.pdf

– http://www.superhac.com/snort/docs/snort_enterprise.pdf• Steven’s site, Superhac, is intermittent. If you can’t find the site, let

me know and I’ll send a copy of the document

Local Subject Matter Expert– Mark Eanes

• Putting him on the spot!

SNORT – Show me!

SNORT – Real Time?

Near real-time alerts are available!– SWATCH

• Simple WATCHer

• http://swatch.sourceforge.net/

• Can be configured to monitor just about any type of log file

– can send email, pager or SMB popup

– Easy to configure

SNORT – Usage/Application

Detection of Privilege Escalation– DEMO

• FTP Exploit– Gain root level access to a public facing FTP server

– Would most likely go undetected

• Results in SNORT/ACID– Link

SNORT – Usage/Application Enterprise IDS

– Advantage• low cost (hardware, learning curve)• Extremely flexible

– Cons• Requires significant tuning/tweaking • Constant maintenance

– rule mgmt issues• Eternal vigilance!

– applies to ANY internal IDS presence

Augment Outsourced IDS Point Solution

– Track internal vulnerabilities on specific segment• outbound worm traffic is a great example

SNORT – The Future Evolution

– Intrusion Prevention• Flex response (user-defined)

– built-in• Snort Inline

– actively developed• Both add elements of “intelligence” to dynamically block

ports/hosts based on signatures– Event Correlation

• Analyze multiple log events– Coming soon!

– Sourcefire• Commercial arm of SNORT

– founded by Marty Roesch

Toolkit Essentials

TCPDUMP– http://www.tcpdump.org/

WINDUMP– http://windump.polito.it/

Ethereal– http://www.ethereal.com/

Links/Publications SNORT

– http://www.snort.org/ Superhac

– http://www.superhac.org SANS Reading Room

– http://rr.sans.org/ Publications (Available at Amazon)

– Snort 2.0 Intrusion Detection• Brian Caswell, Ryan Russel, Jay Beale, et al

– Intrusion Detection with Snort• Jack Koziol

– IDS with Snort: Advanced Techniques• Rafeeq Rehman

Education

SANS Institute– Education track devoted to Intrusion Detection

• http://www.sans.org

• http://www.giac.org

• GCIA – GIAC Certified Intrusion Analyst– heavy coverage of TCPDUMP, Snort and advanced

analysis techniques

Questions?

Thank You!

Contact Information– Darrin Wassom

• Darrin.Wassom@spectrum-health.org

• 616.391.9031 (Office)